Authentication
Do
🗸 Use pre-existing authentication providers and SSO solutions
Do not
⨯ Implement custom authentication
⨯ Implement custom encryption of user credentials
Authorization
Do
🗸 Base authorization decisions on user identity
🗸 Implement authorization centrally
Clickjacking
Do
🗸 Send the X-Frame-Options header with all responses (e.g. set the value to SAMEORIGIN)
Do not
⨯ Allow the pages to be displayed in a frame
Client-side data
Do
🗸 Consider encrypting data stored on the client
Do not
⨯ Store private data on the client (i.e. on the browser)
Cookies
Do
🗸 Set all cookies as secure when over https
🗸 Set all cookies as HTTPOnly
Do not
⨯ Store state in cookies
⨯ Trust any data stored in cookies
Cross-origin resource sharing (CORS)
Do not
⨯ Use JSONP
⨯ Use 'Access-Control-Allow-Origin' *
Cross-Site Request Forgery (CSRF)
Do
🗸 Implement a standard protection (e.g. double-posting)
Cross-Site Scripting (XSS)
Do
🗸 Use functions as parameters when calling setTimeout() & setInterval()
🗸 Encode all user supplied input when rendered into the HTML.
Do not
⨯ Use eval()
Data security
Do
🗸 Encrypt all data when it is 'at rest' (e.g. in a file, cache, database, service bus)
🗸 Encrypt data when it is moving between processes
🗸 Applied good database security practices
Denial of service (DoS)
Do
🗸 Restrict unauthenticated activity using captchas
🗸 Restrict a list of returned results for any query to hard coded limit
🗸 Implement paged results
Beware of
⚠ High CPU and memory load associated with specific user interactions
Directory traversal
Do
🗸 Implement input validation
🗸 Reference files by id, rather than by name
🗸 Validate user supplied filenames and paths
File upload/download
Do
🗸 Add the header 'X-Content-Type' with nosniff
🗸 Restrict the types of files that can be uploaded
🗸 Run a virus scanner on uploaded files
🗸 Consider directory traversal defenses
🗸 Require authentication of the user uploading and downlaoding files
🗸 Consider encrypting the files if they are stored on disk
Information disclosure
Do
🗸 Remove all unnecessary http headers
🗸 Restrict search engine discovery via robots.txt
Do not
⨯ Display verbose error messages
SQL Injection (SQLi)
Do
🗸 Use ORMs such as Hibernate, NHibernate & Entity Framework
🗸 Use parameterised queried
🗸 Use stored procedures
Do not
⨯ Concatenate strings
⨯ Use sp_executesql
Beware of
⚠ Custom queries in ORMs
Stored Cross-Site Scripting
Do
🗸 Validate all user supplied text against a whitelist of valid characters
🗸 Encode all user supplied input when rendered into the HTML.
General
Do
🗸 Remove obsolete and unused code
🗸 Validate all input including query string parameters
🗸 Implement logging
🗸 Defend against log poisoning
Comments
Post a Comment